LDAP signing vs. TLS
Arup Biswas
abiswas at pillardata.com
Thu Mar 15 22:09:48 GMT 2007
While searching for LDAP signing I found this old mail-exchange.
I presume this discussion was about client-side LDAP signing?
I was wondering if this is now supported in Samba 3?
As far as I can tell, LDAP security comes in two flavors - TLS/SSL
support
and LDAP signing. I believe Samba 3 supports TLS/SSL, but not LDAP
Signing, except the reference to this old mail.
Also, please help me understand the requirements for TLS/SSL support.
I believe, in order to support TLS/SSL on the client side, we need to
install a certificate at the domain controller and the CA certificate
for
the domain controller at the Samba server?
I would really appreciate your help in understanding this issue.
Cheers,
-Arup Biswas
Luke Howard wrote:
>> I also experimented with the LDAP signing. This is simply
>> a kerb5 HMAC-MD5 signature on the GSS-API payload.
>
> I know you know this, but this is a generalization; the signing
> algorithm is opaque to the GSS-API consumer and indeed, post
> RFC 4121, to the mechanism implementation itself.
Yup. Didn't realize rfc4121 made it independent of
the mechanism though. I'll go back and read that.
>> We can do this in Samba 3, but will have to implement
>> support in our own SASL code and need to make use
>> of gss_wrap()/gss_unwrap(). The krb5/gss code already
>> works as far as I can tell.
>
> Yes, it works, implementing SASL integrity on top of gss_wrap()/
> gss_unwrap() is not difficult but you will need to use
> gss_init_sec_context() to establish the security context.
It just means moving from native krb5 to gss calls more
through the code. Which is no trivial feat.
More information about the samba-technical
mailing list